If you appreciate this site, please consider a Donation. Every little bit helps.

Latest Telephone Scams
A number of our clients have been hit with telephone scams over the past few months so thought we should explain what these scams are all about.
Don't Panic - Don't Do What They Say - These are all scams.

Everyone may have heard of the IRS scam where they call you and say that if you don't pay them right now, police will be pounding on your door to arrest you - It's a scam - The IRS doesn't call people. If this happens to you, feel free to give them a few choice words and hang-up.

Someone calls you to say your computer is infected with something nasty - They may say your full name and address or other information which makes them sound legit, don't fall for it, it's a scam. They will ask you to let them have remote access to your PC to prove to you that there is an infection - Please Do Not Do That - That is a sure fire way for you to lose money and get your identity stolen. Hang-up on them.

Another scam that is related to your PC is while surfing on the web, a pop-up ad appears, some have a computer voice that tells you that your computer is infected and to call a number (other ads are silent.) That ad appears to lock up the PC while in fact it has only locked up the browser.
In Windows, right click on the taskbar and select the task manager, find your web browser (edge, chrome, firefox, safari, or internet explorer) and select close - There may be a number of instances of the web browser open, close all of them. When the ad finally disappears you can reopen your browser, delete the tab that displayed the ad (if it is still there.)
Never call that number because they will, like the telephone call, ask you to allow them remote access to your computer and try to prove to you via scare tactics that you have a serious infection then charge you a lot of money to fix something that isn't broken. If you have allowed them remote access to your PC, they will attempt to copy your data off your hard drive (storage drive) which can lead to identity theft or draining money from your bank accounts.

The Refund Scam - Someone calls you and says they have a refund for you but need access to your PC - Hang up as this is also a scam.

If you are taken advantage of, we have resources for you and you may be able to get your money back and safeguard yourself from further attacks. Feel free to download our Incident Report (in PDF format), print it out and fill in the blanks (excluding those of where it says Agrisea) for your records. Make sure you file an FTC Report over the event and enter that report # on your form. Next up, call your local police non-emergency line to report the scam, show the filled-out form to your bank and credit card company, and request a refund for however the fraud was paid for. If the payment was by an electronic check, request that the bank stop payment on the check and lock your account for a period of time (one of our clients had an unauthorized access to their business account 3 months after the incident.) - Locking an account is a pain in the neck because the bank will call you for every transaction made to make sure it is valid but losing everything is much worse, in our opinion.

No one should ever have remote access to your PC, unless you have requested remote service from Agrisea or a trusted business partner. Agrisea uses TeamViewer for remote service but you have to call us and follow the instructions on our Remote Support page for us to perform that activity for you. If in doubt, don't use someone shady.

Backdoor Account Found in 100K+ Firewalls, VPN gateways, & Access Point Controllers
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities.

The username and password (zyfwp/PrOw!aN_fXp) were visible in one of the Zyxel firmware binaries.

Affected models include many of Zyxel's top products from its line of business-grade devices, usually deployed across private enterprise and government networks. Read more on ZDnet

Ransomware comes to Linux.
RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June. The Windows-based ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, U.S. government contractor Tyler Technologies, Montreal's public transportation system, and, most recently, against Brazil's court system (STJ)... Those who created RansomEXX has created a Linux version of their ransomware.

Source: ZDnet

Americans should use caution when using hotel wireless networks (Wi-Fi) for telework.
"FBI has observed a trend where individuals who were previously teleworking from home are beginning to telework from hotels. US hotels, predominantly in major cities, have begun to advertise daytime room reservations for guests seeking a quiet, distraction-free work environment. While this option may be appealing, accessing sensitive information from hotel Wi-Fi poses an increased security risk over home Wi-Fi networks. Malicious actors can exploit inconsistent or lax hotel Wi-Fi security and guests’ security complacency to compromise the work and personal data of hotel guests."

"Attackers target hotels to obtain records of guest names, personal information, and credit card numbers. The hotel environment involves many unaffiliated guests, operating in a confined area, and all using the same wireless network. Guests are largely unable to control, verify, or monitor network security. Cyber criminals can take advantage of this environment to monitor a victim’s internet browsing or redirect victims to false login pages. Criminals can also conduct an “evil twin attack” by creating their own malicious network with a similar name to the hotel’s network. Guests may then mistakenly connect to the criminal’s network instead of the hotel’s, giving the criminal direct access to the guest’s computer."

Quotes are from the Federal Bureau of Investigation Public Service Announcement.

Phishing Affects You at Work & Home - How To Protect Yourself
Phishing is a problem for not just businesses but also for home users - Phishing will lead to compromised computers, possibly even a ransomware attack. Smishing is when you are targetted by a text or social media message while Phishing is emails or even over the phone.

There is an excellent article on CSO Online with links to 9 different ways to stop or slow down phishing attempts - You will need to register (for free) to read the article.

"Before you implement an anti-phishing solution, make sure you’ve taken some basic measures to mitigate the risk from phishing. Standard protocols for authenticating email and preventing spam and email spoofing — SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) — are freely available and relatively easy to implement. These protocols won’t remove the threat of phishing, but they will make life more difficult for the opposition." If you are unsure how to go about turning these protocols on, check with your local IT or computer guru for help.

"Phishing and its variants are ultimately social engineering attacks, intended to convince end users of either the requestor’s trustworthiness, the request’s urgency, or both. Trustworthiness is established through things like official-looking emails, login pages or even contact names the user will recognize and trust. Phishing attempts often try to influence the victim’s judgement by manipulating their emotional state, making claims about accounts that are already compromised or suggesting that business or financial disaster is imminent if timely action is not taken."

Quotes are from the CSO Online article. Make sure you view the four other articles on Phishing.

Oregon Department of Justice issues scam alert related to contact tracing
The Oregon Department of Justice has issued a scam alert for people who are pretending to be contact tracers. These imposters send emails and text messages with links to fraudulent websites. Clicking on the link may download software onto a device, giving them access to an array of your personal and financial information.

If you receive an email or a text message you think might be from a scammer posing as a contact tracer, first, do not click on any links. Then, file a complaint online at www.oregonconsumer.gov or call 877-877-9392 and ask that a complaint form be mailed to you.

For more information on other COVID-19 scams, visit www.oregonconsumer.gov/COVID-19.

For more information on what you can expect from state, local, or tribal health department contact tracing efforts, visit www.healthoregon.org/contacttracing.

Love Your Privacy? Use Avast or AVG? Your web browsing data is being sold
01/28/20: Avast & it's subsidiary AVG have been collecting all of your web browsing data: clicks, buy, search, on every site and sent to another Avast subsidiary called Jumpshot. The data is repackaged into various different products and sold to many of the largest companies in the world. This activity has been going on for years without user consent or notification. However, if you reinstall the Avast or AVG apps, they will ask you for consent to collect this data - Obviously, if you must use these apps, we suggest you say NO to data collection unless you do not care about your privacy.

Avast claims to have more than 435 million monthly active users and Jumpshot says they have data from more than 100 million devices. The data does not contain personal information such as names, email addresses, but does include timestamps, which if used with other data could unmask exactly who was using a particular site.

Until October 2019, Avast had a plugin that was supposed to warn users of suspicious websites but it was deactivated in Firefox, Opera, and Chrome after Adblock Plus creator Wladimir Palant discovered that the plugin was actually harvesting data. Avast is currently harvesting data directly through their anti-virus app. About a week ago, Avast started to ask their free antivirus consumers to opt-in to data collection.

[Source: Vice.com]

Cisco IOS XE routers exposed to rare 10/10-severity security flaw
8/29/19: Cisco is urging customers to check and install updates for a critical flaw affecting it's IOS XE operating system that powers millions of enterprise network devices. The flaw allows anyone on the internet to bypass the login for an IOS XE device without the correct password.

"The flaw, tracked as CVE-2019-12643, affects Cisco's REST application programming interface (API) virtual container for ISO XE and exists because the software doesn't properly check the code that manages the API's authentication service. Cisco says it has confirmed that the flaw affects Cisco 4000 Series Integrated Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, the Cisco Cloud Services Router 1000V Series, and the Cisco Integrated Services Virtual Router."

Cisco also disclosed five high-severity flaws that affected its Unified Computing System Fabric Interconnect, NX-OS software, and FXOS software.
[Source: ZDnet]

SWAPGS attack allows the kernel memory to be leaked
8/8/19: "Security researchers have found a new way to abuse the speculative execution mechanism of modern CPUs to break security boundaries and leak the contents of kernel memory. The new technique abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre."

"SWAPGS allows the kernel to gain access to internal, per-CPU data structures, when a process transitions from user-mode to kernel mode. However, researchers from Bitdefender found that the instruction’s behavior when executed speculatively is poorly documented and has security implications."

"Windows most vulnerable to SWAPGS vulnerability" - “A quick analysis of the Linux kernel revealed that although it contains a gadget which may be used in an attack, it lies inside the Non-Maskable Interrupt (NMI) handler,” Bitdefender [white paper] researchers said in their paper. “We therefore believe that Linux would be difficult (if not impossible) to attack.”
[Source: CSO Online]

Researchers have found 11 serious vulnerabilities in VxWorks, the real-time operating system that powers over 2 billion devices
7/29/19: "While VxWorks is used in over 2 billion devices, Wind River said in an emailed press release that these vulnerabilities only impact "a small subset" of its customer base, primarily "enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers, as well as some industrial and medical devices." However, Armis estimates the flaws expose over 200 million "mission-critical" devices. Researchers at Armis dubbed these flaws as URGENT/11."

"Not all of the vulnerabilities exist in all VxWorks versions, but most versions are affected by at least one of them. The remote code execution flaws can be exploited by simply sending maliciously crafted TCP packets to a vulnerable device, without any additional changes needed to their default configurations."

"According to Armis [IoT security firm], vulnerable devices include industrial SCADA systems, elevator and industrial controllers, patient monitors and MRI machines, firewalls, routers, satellite modems, VOIP phones, printers and more. Prior to 2006, when Wind River acquired the vulnerable TCP/IP stack called IPnet, the stack was also licensed and distributed to other real-time operating system (RTOS) vendors, so there is a high possibility that devices running other real-time operating systems are also vulnerable."
[Source: CSO Online]

Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw
5/18/19: If you own a Linksys router listed below, we strongly urge you to replace it with any other router (except those made by Cisco) so that your network is safe.

Read the full report here.

'Zombieload' - Affects Intel CPU's
5/15/19: "...academics say that all Intel CPUs released since 2011 are most likely vulnerable." If you use AMD or any other CPU, you are not affected and can stop reading this article.

Academics have discovered a new class of vulnerabilities in Intel processors that can allow attackers to retrieve data being processed inside a CPU.

The leading attack in this new vulnerability class is a security flaw named Zombieload, which is another side-channel attack in the same category as Meltdown, Spectre, and Foreshadow.

'Zombieload' is what researchers have named a Microarchitectural Data Sampling (MDS) attack, and targets a CPU's microarchitectural data structures, such as the load, store, and line fill buffers, which the CPU uses for fast reads/writes of data being processed inside the CPU. These are smaller-sized caches that are used alongside the main CPU cache.

Microsoft, Apple, and the Linux project are expected to have operating system updates roll out later today, or in the coming days." [Source: ZDnet]

RANSOMWARE RESOURCES
Dharma
Qbot
No More Ransom Portal
Gandcrab [Bitdefender]
download & run this vaccination batch file for Petya & NotPetya
WannaDecrypt0r for [Windows XP, Windows 8, and Windows Server 2003]
WannaDecrypt0r [security bulletin MS17-010] for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
Disable Javascript directions for IE, Chrome, Safari, & Firefox. Please note that if you already use FireFox, all you need to do is install NoScript (search for it in Add-Ons), which by default blocks Javascript. So if you need Javascript on a web site you trust, click on Options and Allow that web site.

ANDROID ALERTS
3/26/19: "To help owners of Android devices to distinguish between genuine, effective Android antivirus apps on the one hand, and dubious/ineffective ones on the other, AV-Comparatives have again tested the effectiveness of antimalware programs for Android, in the 2019 Android Test. For this test, we searched for and downloaded 250 antimalware security apps by various different developers from the Google Play Store. 80 apps detected over 30% of malicious apps, and had zero false alarms." [The list can be found here.]

"The anti-malware apps from the following 138 vendors detected less than 30% of the Android malware samples, or had a relatively high false alarm rate on popular clean files from the Google Play Store (please note that some company names are quite generic): 1Machine System Sdn Bhd, actionappsgamesstudio, Amantechnoapps, AMIGOS KEY, Amnpardaz Soft, AndroHelm Security, ANTI VIRUS Security, Antivirus Mobile Lab, antivirus security, appflozen, appsshow, Appzila, Arcane Apps, AS team security phone Lab, asuizksidev, Ayogames, AZ Super Tools, azemoji studio, Baboon Antivirus, bESapp, Best Battery Apps, Best HD Wallpapers APPS, Best Tools Pro, BestOne, Bit Inception, BKAV, Bom Bom, Booster studio Laboratory Inc., brouno, Bulletproof AV, Caltonfuny Antivirus Phone, Cheetah Mobile, CHOMAR, Chromia, Cloud 7 Services, Core Antivirus Lab, CPCORP TEAM, Photo blur & photo blender, CreativeStudioApps, CY Security, Defenx, DefineSoft, DreamBig Studios, DU Master, electro dev, Erus IT Private Limited, Falcon Security Lab, Fast n Clean, fluer-apps.com, Formation App, Free Apps Drive, FrouZa, Galaxy TEAM, GameXpZeroo, GlobalsApps, gndnSoftware, GOMO Apps, GoNext App Developers, Gridinsoft, LLC, handy tools apps, Hello Security, Immune Smart, INCA Internet, infiniteWays007, Islamic Basic Education, Itus Mobile Security, JESKO, jixic, Kolony Cleaner, Koodous Mobile, lempea, LINE, LIONMOBI, Live multi Player Game, Main Source 365 Tech, Mama Studio, MAN Studio, Marsolis Tech, Max Antivirus Lab, Max Mobi Secure, MaxVV, Mob Utilities, Mobile Tools Plus, Mobtari, Mond Corey, M-Secure, MSolutions, MSYSOFT APPS, My Android Antivirus, NCN-NetConsulting, Nepelion Camp, Nisi Jsc, Niulaty, NP Mobile Security, NPC Studios, Omha, Oxic Studio, Pix2Pic Studio, playyourapp, Pro Tool Apps, prote apps, Protector & Security for Mobile, Puce, Radial Apps 2018, RedBeard, Secure Cloud, SecureBrain2, Security and Antivirus for Android solutions, Security Apps Team, Security Defend, SECURITY LAB, Security Systems Lab, SecurityApplock, Sept Max, ShieldApps, SjaellSoft, SkyMobileTeam, Smart Battery Solution & Creative Screen Lock, smarteazyapps, Software Center, Soft War, stmdefender, Systweak Software, TAIGA SYSTEM, Tokyo Tokyo, Tools dev, tools for android, Utilitarian Tools, Vainfotech, VHSTUDIO, Vikrant Waghmode, Virinchi Software, Virtues Media & Application, VSAR, Wingle Apps, Xtechnoz Apps, XZ Game, Z Team Pro."


MARCHER TROJAN MALWARE ON ANDROID
Super Mario Run, a mobile game by Nintendo, is currently only available to Apple iOS users - Android users must wait for their version yet third-party web sites already claim this app is available - Do Not Download It - This fake app is actually the "Marcher" Trojan Malware.

Only get your apps for Android from the Goggle Play Store, ignore web sites that claim anything else.

The Marcher app, when you install it, requires you to give administrative access, which means whomever is behind Marcher may monitor the device and steal login data of not just banking and payment apps, but also for apps including Facebook, WhatsApp, Skype, Gmail, the Google Play store, and more. Criminals can exploit all of these stolen details to carry out additional fraud.
[Read more about it here.]

SSA PHONE SCAM
12/31/18: Be on the lookout for phone scammers pretending to be from the United States Social Security Administration.. The S.S.A said that more than 35,000 people reported the scam in 2018, compared to just over 3,000 in 2017.

The scammers will often say your Social Security number is about to be suspended because of suspicious activity.

Your Social Security number will never be suspended and you do not have to verify your number to anyone who calls. The Social Security Administration will never call to threaten your benefits or tell you to wire money or send cash.

PROCESSOR FLAWS
3 More Flaws Found in Intel CPU's
8/14/18: "Today, Intel and our industry partners are sharing more details and mitigation information about a recently identified speculative execution side-channel method called L1 Terminal Fault (L1TF). This method affects select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX) and was first reported to us by researchers at KU Leuven University*, Technion – Israel Institute of Technology*, University of Michigan*, University of Adelaide* and Data61*1. Further research by our security team identified two related applications of L1TF with the potential to impact other microprocessors, operating systems and virtualization software." Read More Details Here.

AMD Ryzen & Epyc Processors Affected with Security Vulnerabilities
3/13/18: "A newly discovered set of vulnerabilities in AMD chips is making waves not because of the scale of the flaws, but rather the rushed, market-ready way in which they were disclosed by the researchers. When was the last time a bug had its own professionally shot video and PR rep, yet the company affected was only alerted 24 hours ahead of time? The flaws may be real, but the precedent set here is an unsavory one." [TechCrunch]

AMD's response: " We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops." [AMD]

Meltdown & Spectre
1/29/18: Microsoft issued an out-of-band update on the weekend that disables Intel's mitigation for CVE-2017-5715, or the Variant 2 Spectre attack described as a "branch target injection vulnerability". This update disables Intel's patch and is available for Windows 7 SP1, Windows 8.1, and all versions of Windows 10, for client and server. Not only was Intel's fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances. [Source: ZDnet]

Intel Flaw Patches
1/24/18: Major PC Manufacturers [Dell, HP, or Lenovo] that released patches for their Intel-powered PC's, ".. chances are very good that the BIOS or UEFI firmware update you installed earlier this month is bad. If you flashed your BIOS or UEFI this month, you’ll almost undoubtedly have to flash it again just to get rid of the buggy code. Then you’ll have to upgrade the firmware once again, at a later time." [source: Computerworld]

1/23/18: Intel executive vice president Neil Shenoy said on Monday that the chip-maker has identified the source of some of the recent problems, so it is now recommended that users skip the available patches. "We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior." Source: Intel

1/6/18: Kicking off 2018 with a bang, we get notice from a lot of sources that there are two new ways to exploit PCs running specific CPU types. The largest problem is "Meltdown" which affects INTEL CPU's yet Microsoft appears to be issuing a patch that fixes all CPU's of both exploits, and AMD CPU's are not affected by Meltdown so those systems will slow down. Thanks Microsoft!
Updating list of Patches.
Spectre and Meltdown explained

CHROME FAKE FONT SCAM
If you have ever been on a web page and seen strange characters in the text, usually it means the author is using a different text encoding - An example is that Agrisea uses Western - Look in your web browser (Text Encoding is under View in Firefox). However, NeoSmart Technologies (an Agrisea technology partner) shows examples of the latest scam affecting the Chrome web browser:
Random characters on a grayed out web page with a white box showing the Chrome Logo and a font missing warning - Except it is all a scam - Do not download anything & close that page. An example:

EMAIL ATTACHMENTS
If you had not heard, 2016 was an aggressive year for JavaScript email attachments that distributes malware, but with Google banning those types of attachments on 2/13/17, attackers are now switching to less suspicious file types to trick users.

According to Microsoft Malware Protection Center, a new wave of spam emails carries .LNK files inside ZIP archives. Those files had malicious PowerShell scripts attached to them. "You may think that you are protected from fileless malware because your PowerShell execution policies are set to 'Restricted' so that scripts can't run," the Intel Security researchers said in a blog post. "However, attackers can easily bypass these policies."

Another file type used to distribute malware is SVG (Scalable Vector Graphics). While many people correctly associate .SVG files with images, it's a little-known fact that such files can actually contain JavaScript. "Attackers use SVG files to execute JavaScript when users open what they believe to be images inside their browsers", wrote SANS Internet Storm Center.

HACKING, SPIES, & CYBERCRIMINALS
1) First thing you must know, keeping your accounts safe must be your top priority so if you get an email asking you for your login or password, delete it - No one you already do business with is going to ask you for that information. And if it is someone in your company wanting to know, walk over and ask them why they want it - They might be infected and not even know it.
2) If an email sounds like it is from one of your friends but seems to be slightly off, call them on your phone to ask, and don't click on links in that email. The email might be a phishing attempt by a spy and not the James Bond type either.
3) Seriously, change your password often (that means more than once a year) and don't use the same password for every place.
4) H.R. departments are coming under attack by fake job applications that arrive in email, usually with a PDF file attachment (like a cover letter) and also have a Microsoft Office something. When whatever it is, Excel, Word, etc. is opened, it says Macros must be enabled and if you do, Ransomware encrypts your computer... See Article 2 below for more.

The "bad guys" out there in cyberspace want to steal whatever they can get from you and where you work. And if they can get a virtual foot in the door on something you use, like your phone, it opens up your whole world that they can then exploit. Which means it will cost you, maybe money or identity theft or maybe something even worse.

SO, Next time Agrisea tells you to change your password, don't make a face, we are trying to keep you safer in an increasingly hostile world.

Read more about what is happening in these articles on ZDnet: 1 & 2.

WINDOWS 10:
Still running Windows 7 or 8.x? You should use a small piece of software [download it] to prevent Windows 10 pieces from being installed to your computer.



Last updated: April 12, 2021     Agrisea web site v.XXI     Have a Question? Submit a Ticket